vulnerabilità
Transcript
vulnerabilità
vulnerabilità èunadebolezzacheconsenteadun eventualeattaccantediridurrela garanziadell’informazionediun sistema. vulnerabilità èunadebolezzacheconsenteaduneventuale attaccantediridurrela garanziadell’informazione diunsistema. • • • • • • Integrità Disponibilità Riservatezza Autorizzazione Autenticazione NonRipudio vulnerabilità • ISO27005 unasset (qualsiasicosaabbiavaloreperl’azienda)oungruppodi asset chepossonoessere«sfruttati»(exploited)daunaopiù minacce. • IETFRFC2828 Undifetto ouna debolezza nella progettazione, nell’implementazione onella gestione enell’operatività diun sistema che può essere sfruttato perviolare i criteri disicurezza del sistema stesso. • ISACA Unadebolezza nella progettazione,nell’implementazione e nell’operatività onel controllo interno Archividellevulnerabilità • NationalVulnerability Database https://nvd.nist.gov/ – – – – – – CVEVulnerabilities Checklists US-CERTAlerts US-CERTVuln Notes OVALQueries CPENames Provarelaricercasulsito CVE-2008-1930 Wordpress 2.5CookieIntegrityProtectionVulnerability Provarelaricercasulsito CVE-2008-1930 Wordpress 2.5CookieIntegrityProtectionVulnerability lafunzionevulnerabileè: wp_validate_auth_cookie nelfile: wp-includes/pluggable.php CVE-2008-1930 Wordpress 2.5CookieIntegrityProtectionVulnerability function wp_validate_auth_cookie($cookie=''){ if (empty($cookie)){ if (empty($_COOKIE[AUTH_COOKIE]) ) return false; $cookie=$_COOKIE[AUTH_COOKIE]; } list($username,$expiration,$hmac) =explode('|',$cookie); $expired =$expiration; //Allow agrace period forPOSTandAJAXrequests if (defined('DOING_AJAX')||'POST'==$_SERVER['REQUEST_METHOD']) $expired +=3600; if ($expired <time()) return false; $key =wp_hash($username.$expiration); $hash =hash_hmac('md5', $username .$expiration,$key); if ($hmac !=$hash ) return false; $user =get_userdatabylogin($username); if (!$user ) return false; return $user->ID; } if (empty($cookie) ){ if (empty($_COOKIE[AUTH_COOKIE])) return false; $cookie=$_COOKIE[AUTH_COOKIE]; } 1. Lafunzione richiede ilcookie AUTH_COOKIEsenonspecificato nellachiamata 2. Secomunque èvuoto escecon falso CVE-2008-1930 Wordpress 2.5CookieIntegrityProtectionVulnerability function wp_validate_auth_cookie($cookie=''){ if (empty($cookie) ){ if (empty($_COOKIE[AUTH_COOKIE]) ) return false; $cookie=$_COOKIE[AUTH_COOKIE]; } list($username,$expiration,$hmac)=explode('|',$cookie); $expired =$expiration; list( $username, $expiration, $hmac)=explode('|', $cookie); //Allow agrace period forPOSTandAJAXrequests if (defined('DOING_AJAX')||'POST'==$_SERVER['REQUEST_METHOD']) $expired +=3600; if ($expired <time()) return false; $key =wp_hash($username.$expiration); $hash =hash_hmac('md5', $username .$expiration,$key); if ($hmac !=$hash ) return false; $user =get_userdatabylogin($username); if (!$user ) return false; return $user->ID; } 1. Popolatrevariabiliconidatipresi dalcookie CVE-2008-1930 Wordpress 2.5CookieIntegrityProtectionVulnerability function wp_validate_auth_cookie($cookie=''){ if (empty($cookie) ){ if (empty($_COOKIE[AUTH_COOKIE]) ) return false; $cookie=$_COOKIE[AUTH_COOKIE]; } list($username,$expiration,$hmac) =explode('|',$cookie); $expired =$expiration; //Allow agrace period forPOSTandAJAXrequests if (defined('DOING_AJAX')||'POST'==$_SERVER['REQUEST_METHOD']) $expired +=3600; if ($expired <time()) return false; $key =wp_hash($username.$expiration); $hash =hash_hmac('md5', $username .$expiration,$key); if ($hmac !=$hash ) return false; $user =get_userdatabylogin($username); if (!$user ) return false; return $user->ID; } $expired =$expiration; //Allow agrace period forPOSTandAJAX requests if (defined('DOING_AJAX') ||'POST'== $_SERVER['REQUEST_METHOD']) $expired +=3600; if ($expired <time()) return false; 1. Controllal’expiration delcookie CVE-2008-1930 Wordpress 2.5CookieIntegrityProtectionVulnerability function wp_validate_auth_cookie($cookie=''){ if (empty($cookie) ){ if (empty($_COOKIE[AUTH_COOKIE]) ) return false; $cookie=$_COOKIE[AUTH_COOKIE]; } list($username,$expiration,$hmac) =explode('|',$cookie); $expired =$expiration; //Allow agrace period forPOSTandAJAXrequests if (defined('DOING_AJAX')||'POST'==$_SERVER['REQUEST_METHOD']) $expired +=3600; if ($expired <time()) return false; $key =wp_hash($username.$expiration); $hash =hash_hmac('md5', $username .$expiration,$key); if ($hmac !=$hash ) return false; $user =get_userdatabylogin($username); if (!$user ) return false; return $user->ID; } $key =wp_hash($username.$expiration); $hash =hash_hmac( 'md5', $username.$expiration, $key ); If ($hmac !=$hash ) return false; 1. Lafunzione wp_hash crittografail contenuto usandouna SECRET_KEY 2. sel’HASH delcookienonè «Valido» esceconfalso CVE-2008-1930 Wordpress 2.5CookieIntegrityProtectionVulnerability function wp_validate_auth_cookie($cookie=''){ if (empty($cookie) ){ if (empty($_COOKIE[AUTH_COOKIE]) ) return false; $cookie=$_COOKIE[AUTH_COOKIE]; } $user =get_userdatabylogin($username); if (!$user ) return false; list($username,$expiration,$hmac) =explode('|',$cookie); $expired =$expiration; //Allow agrace period forPOSTandAJAXrequests if (defined('DOING_AJAX')||'POST'==$_SERVER['REQUEST_METHOD']) $expired +=3600; } return $user->ID; if ($expired <time()) return false; $key =wp_hash($username.$expiration); $hash =hash_hmac('md5', $username .$expiration,$key); if ($hmac !=$hash ) return false; $user =get_userdatabylogin($username); if (!$user ) return false; return $user->ID; } 1. Seesisteuno user conilnomedel cookieloattivauscendodalla funzione conl’IDdell’utente CVE-2008-1930 Wordpress 2.5CookieIntegrityProtectionVulnerability Lavulnerabilità: $hash=hash_hmac('md5',$username.$expiration,$key); Èpossibilegenerareunacollisione $username $expiration HMAC($username.$expiration) admin1 1353464343 1ba7d82099dd6119781b54ecf8b79259 admin 11353464343 1ba7d82099dd6119781b54ecf8b79259 CVE-2008-1930 Wordpress 2.5CookieIntegrityProtectionVulnerability Lacorrezione: $hash=hash_hmac('md5',$username.'|' .$expiration,$key); Separarecorrettamenteivalori Portapatens esto.Nulliclaudatur honesto Portapatens estonulli.Claudatur honesto